Domain 6 Flashcards
Security Assessment and Testing Programs
Provides a mechanism for validating the ongoing effectiveness of security controls with a variety of tools:
- Vuln assessments
- Pen test / software testing
- Audits
- Security management tasks
NOTE
Every org should have a security assessment and testing program defined and operational
Assessment & Testing
Vulnerability Assessments
Automated tools to search for known vulnerabilities in systems / apps/ networks
- Flaws may include missing patches, misconfigs, or faulty code that expose the org
Assessment & Testing
Penetration tests
Uses same tools as vuln assessments but supplements them with attack techniques where an assessor attempts to exploit vulns and gain access to the system
Common Strats:
- War Dialing - Bank of modems
- Sniffing
- Eavesdropping
- Dumpster Diving
- Social engineering
Software testing
Static Software Testing
Evaluated the security of software without running it by analyzing the src code or compilied app
Software testing
Dynamic Software Testing
Eval the software in a runtime environment
- Only option for orgs deploying apps written by someone else
Fuzzing
Testing technique
Uses modified inputs to test software performance under unexpected circumstances
- Can modify known inputs to make a lot of synthetic inputs that may trigger unexpected behavior
- Generational fuzzing develops inputs based on models of expected inputs to perform the same task
Security Management Oversight
Log Reviews
Particularly for admins, ensure systems are not misused
Security Management Oversight
Account Management Reviews
Only authorized users retain access to system
Security Management Oversight
Backup Verification
Most important SMO
Ensures the orgs data protection process is functioning properly
Security Management Oversight
Key Performance and Risk Indicators
Provide a high level of security program effectiveness